Facebook fanpage vs. GDPR – compliant or not?

What is the issue?

Is it possible to run a Facebook-Fanpage compliant with the data protection law? The ECJ (European Court of Justice) already stated in its judgement of June 5 2018 (AZ-C-210/16) that the operation of Facebook-Fanpages is not data protection compliant[1]. So, is it an ‘old hat’?

It is a fact, that Social Media has gained in importance over the last years. Nowadays, more than half of the world population uses Social Media. This trend was additionally furthered by the Corona pandemic, as can be read in the journal UPLOAD. Topics like for example Messenger-communication will become more important within the dialogue
marketing. Real problem solvers like for instance how-to lists or list-articles are supposed to win new customers.[2].

In order to run a social media platform successfully as a provider, it is necessary to collect and analyse personal data. Even though it mostly is not required to pay for social media networks with money, there are not free. You have to pay for the service with your data.

Who exactly receives this data and how this data will be used, is often not transparent for the users.[3]. And there are other obstacles. The porta site „Datenschutz und Datensicherheit“ of the Mensch und Medien GmbH for example states: Reading the privacy policy of TikTok requires 104,8 minutes on average, for the policy of WeChat you need 74,4 minutes and for LinkedIn you have to spend 48,2 minutes[4]. I thus wonder, who reads this at all?

Even though there is a judgement of 2018, that a Facebook-Fanpage cannot be run in compliance with data protection law, Social Media has an enormous economic importance for the majority of companies. In this article I will give some hints aimed at the reduction of risks of data protection. But be careful: A 100% legally compliant solution is currently not attainable!

The actual problem

But what is the real problem? A lot has already been written about this. Thus, what follows is a short description for revision purposes.

In the context of tracking fans with the „Insights“ function, the court recognized a mutual responsibility on behalf of  the Fanpage operator and Facebook[5]. Therefore, article 26 (Joint Controllers) of the GDPR applies[6].

Article 26 determines special duties for both contracting parties. Facebook provided such a contractual agreement at a later date[7].

The European Data Protection Conference (German abbreviation: DSK) still considered this agreement as problematic in its position paper from 04/01/2019[8].

In summary the DSK stated the following:

  • Each controller needs a legal basis for the data processing, for which he is responsible, (…) also in cases, in which he does not process data immediately himself.
  • Without adequate knowledge about the data processing for which they are liable, the controllers are not capable of assessing whether the data processing is legal.
  • The statements of Facebook about the headquarters and lead supervisor are criticised as well, because Facebook determines the Irish supervisor as lead supervisor.

Facebook demands a legal basis for processing from the Fanpage operators. But since the Fanpage operator does not have enough insights about the data processing, he is not able to designate a legal foundation. Thus, only a consent according to article 6 (1a) is possible. But the consent can be integrated within the website only, not directly on the Fanpage. Facebook-Fanpages are publicly accessible. For this reason, users can reach the Fanpage without visiting the website.

Furthermore, Facebook demands that requests of data subjects shall be forwarded directly to Facebook and Facebook prohibits the Fanpage operators from informing the data subjects themselves. This is a contradiction according to article 26 GDPR[9]. The fact that Facebook determines the Irish supervisor as the lead supervisor, contradicts with article 77 (1) GDPR[10].

The DSK noticed that both Facebook and Fanpage operators have to fulfil their accountabilities.

How can Fanpage operators solve this problem?

As already stated, legally operating a Facebook-Fanpage is not possible. At least you can reduce the risks though and the following measures are recommended:

  • Customize your consent-banner on your website and add a note about tracking of the Facebook Fanpage with a consent checkbox.
  • Inform about the Facebook tracking in your privacy policy of your website.
  • Integrate a link to the privacy policy of your website in a prominent position on your Facebook Fanpage. This should include the following points[11]:

◦   Rights of data subjects can be claimed both with Facebook Ireland and yourself.

◦   The main responsibility for processing the Insights-data lies with Facebook and Facebook fulfills all duties in accordance to the GDPR in relation to the processing of the Insights-data.

◦   In relation to the processing of Insights-data, the Fanpage operators do not take any decisions, nor for the resulting further information according to article 13 GDPR. This entails the legal basis, identity of the controller and the storage period of cookies on all devices.

  • Add a link to the Facebook information about the Insights-function on your Fanpage (Link: https://www.facebook.com/legal/terms/information_about_page_insights_data)
  • If you receive a request from a data subject, forward this to Facebook immediately in accordance with the addendum. Use this link: https://www.facebook.com/help/contact/308592359910928
  • It is highly recommended to ask Facebook Ireland to provide a legal agreement in accordance to article 26 GDPR. It is to be expected that Facebook will not respond. But you can state that you tried everything for a legal processing towards authorities and avoid lacks in terms of data protection.
  • Also check your other social-media presences.

Conclusion

Social Media presences like Facebook-Fanpages are still difficult, because the regulations of the GDPR cannot be complied with fully

Indeed, Facebook has updated their conditions for site insights in October 2019 and promises that no personal data of persons, who do not have a Facebook account will be processed[12], but whether this is sufficient for the authorities is doubtable.

The last judgement of courts regarding this topic was passed in September 2019 by the Federal Administrative Court. In summary the court says, that a supervisor can prohibit a Facebook-Fanpage, if the infrastructure of Facebook is insufficient[13].

Fanpage operators can only try to reduce their risks through the measures described above. It is yet to be seen how this issue will be assessed and regulated in the future. So, I recommend observing this topic as closely as possible.

 


Sources Reference

[1]     „CURIA - Recueil général – Cour de justice“, https://curia.europa.eu/juris/liste.jsf?num=C-210/16&language=DE.

[2]     „Social-Media-Trends 2021“, https://upload-magazin.de/47618-social-media-trends-2021/.

[3]     „Social Media: Datenschutz in den sozialen Medien - Finanztip“, https://www.finanztip.de/social-media-datenschutz/.

[4]     „Welcher Teenager liest denn sowas? Die Datenschutzrichtlinien von TikTok erfordern 104 Minuten Lesedauer. - DSB Ratgeber“, https://www.dsb-ratgeber.de/artikel/datenschutz-bestimmungen-tiktok.html.

[5]     „Datenschutzkonforme Facebook-Fanpages nach DSGVO“, https://www.activemind.de/magazin/facebook-fanpages-dsgvo/.

[6]     „Art. 26 DSGVO – Gemeinsam Verantwortliche“, https://dsgvo-gesetz.de/art-26-dsgvo/.

[7]     „Facebook“, https://www.facebook.com/legal/terms/page_controller_addendum.

[10]   „Art. 77 DSGVO – Gemeinsam Verantwortliche“, https://dsgvo-gesetz.de/art-77-dsgvo/.

[11]   „Datenschutzkonforme Facebook-Fanpages nach DSGVO“, https://www.activemind.de/magazin/facebook-fanpages-dsgvo/.

[12]   „Facebook veröffentlicht aktualisierte ‚Seiten-Insights-Ergänzung‘“, https://www.troeber.de/news/datenschutzrecht/facebook-veroffentlicht-aktualisierte-seiten-insight-erganzung/.